Responsible Disclosure: SVG injection in

by @edent | # # # # # # | 4 comments | Read ~514 times.
The website has a circle drawn on it.

Here’s a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of – one of the UK’s mobile providers. A brief recap… Most websites have a search function. If you search for something which cannot be found, the site will often say “No results found for XYZ.” If we can…

Continue reading →

Security issues on ArtChain

by @edent | # # # # | 4 comments | Read ~4,492 times.
A website with a popup notification.

One of the problems with the BlockChain goldrush is that it attracts a lot of people who don’t necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem. I’d like to discuss – “Certifying Art Using the Bitcoin Blockchain” – and the some of the…

Continue reading →

Minimum Viable XSS

by @edent | # # # | Read ~2,665 times.

Here’s a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let’s take an entirely theoretical example – suppose we have a site which echos back user input without sanitising it. So a search for ” <em>” turns the whole page italic. *ahem*…

Continue reading →

Responsible Disclosure – XSS Flaw at

by @edent | # # # # | Read ~365 times.

Another day, another bug! is a “money saving” site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. Links removed, because the site has disappeared. My Trade Union, Prospect, has just launched a white-labelled “Members’ Rewards” based on LetsSaveMoney – that’s how I came across this…

Continue reading →

Private Eye – Not As Clever As They Think They Are

by @edent | # # # # | 2 comments | Read ~275 times.

Private Eye is the only “Dead Tree” publication I buy. I think its satire misses the mark more often than not – but its investigative journalism and general muck-raking are second to none. The Eye has reluctantly been drawn into the digital age. It has a piss-poor website run by the sort of “tired and…

Continue reading →

Privacy and Security Flaw with CAB

by @edent | # # | Read ~134 times.

The Citizens’ Advice Bureaux have just released a real-time view of what people are searching for on its site. It’s heartbreaking. Interesting new digital stuff emerging from @CitizensAdvice <– uncomfortable, messy, visceral reality @mikedixonCAB — Tom Loosemore (@tomskitomski) October 21, 2014 who supplies my electricity why do some children become looked after will i…

Continue reading →

The Unsecured State Part 2 – EduBase XSS (Disclosed & Fixed)

by @edent | # # # # | 6 comments | Read ~1,444 times.

This is part 2 of a series of blog posts looking at the security of the UK Government’s web infrastructure. Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the…

Continue reading →

The Unsecured State Part 1 – UK Parliament XSS Flaw (Disclosed & Fixed)

by @edent | # # # # | 5 comments | Read ~1,609 times.

This is part 1 of a series of blog posts looking at the security of the UK Government’s web infrastructure. The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what’s happening in the Commons and the Lords, and is run by some really clever people.…

Continue reading →

Huffington Post UK XSS Flaw (Disclosed & Fixed)

by @edent | # # # | Read ~125 times.

The UK version of the Huffington Post was vulnerable to an XSS flaw. This allowed any malicious user to inject images, video, text, and JavaScript into the page. Although the above image show a very silly use of XSS, it could quite easily be used to craft a page to encourage journalists and readers to…

Continue reading →

Mydex XSS Flaw (Disclosed & Fixed)

by @edent | # # # | Read ~192 times.

Ever heard of Mydex? Here’s how they describe themselves: Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data. Not just secure, but hyper-secure! They’ve been signed up by the…

Continue reading →